Friday, October 16, 2009

The server www.xxxxxxx.com at Magic requires a username and password.

Recently one of my wordpress site was giving this message: The server www.xxxxxxx.com at Magic requires a username and password when I was trying to update or preview an old post.

After digging into this for a bit, I found that some files have been modified: ./wp-includes/vars.php and a couple of files in plugins directory like ./wp-content/plugins/akismet/akismet.php.

All these files have lines (usually first line) containing:eval(gzinflate(base64_decode('1VVtT9swEP7 [...]

After removing these lines (manually via SSH or FTP), the wordpress site turned out to normal.It seems like one of the wordpress administrator had some trojans on his computer, probably one of them modified the wordpress files through wordpress admin area after he logged in.

3 comments:

Probably fixed by now with the current wordpress version because this kind of problem came out before version 2.8.2 was released. It is probably a hack attack based on vulnerabilities of the pre-2.8.2 version.